Solved

Cisco ASA 5510 with Postini

Posted on 2009-04-07
18
1,269 Views
Last Modified: 2013-11-16
I just started working  here about 6 months ago and this organization has their backbone router (150.50.1.1, cisco 2610) with a default gateway setting of 0.0.0.0 0.0.0.0 150.50.1.89.  Where .89 is the inside interface of a Sun Microsystems Cobalt Qube3.  This device has an External Interface of 74.xxx.xxx.130 and it has a default gateway setting of 74.xxx.xxx.129 where .129 is the address of our Bellsouth managed router that our T1 Line is on.

They bought a Cisco ASA 5510 before I got here and all they've been using it for is a VPN endpoint so i'm trying to get all the traffic going out through the ASA instead of the Qube so we can decomission it.  I have internet access working.  I switched the default gateway of 150.50.1.1 (the backbone router) to 0.0.0.0 0.0.0.0 150.50.1.29 where 29 is the internal interface of the ASA.  I then configured the ASA with an outside interface address of 74.xxx.xxx.149 and made it's default gateway 0.0.0.0 0.0.0.0 74.xxx.xxx.129.

So now i have all my traffic going out through the ASA no problem.  I made the switch last night, tested it, and everything looked good.  Came in this morning and my users are telling me hey we aren't getting any emails from external sources.  So I login to Postini and sure enough the Delivery Manager is set to deliver to 74.xxx.xxx.130 (the outside address of the old Qube.)  Ok, so I Change this address to 74.xxx.xxx.149 (the outside address of the ASA.)

Well that didn't fix it, as Postini is reporting that it cannot connect to 74.xxx.xxx.149.

FYI the ip addy of our exchange server is 150.50.1.37 and Postini's Network range is 64.18.0.0 255.255.240.0.

So I go into the ASA config and add:

access-list [outside interface name]_access in extended permit tcp 64.18.0.0 255.255.240.0 host 74.xxx.xxx.149 eq smtp
access-group [outside interface name]_access_in in interface [outside interface name]

access-list [inside interface name]_access_out extended permit tcp host 150.50.1.37 64.18.0.0 255.255.240.0 eq smtp
access-list [inside interface name]_access_out extended deny tcp any any eq smtp
access-list [inside interface name]_access_out extended permit ip any any
access-group [inside interface name]_access_out in interface inside

No dice, Postini's Web interface Still reports that it cannot connect to 74.xxx.xxx.149.

I can run a traceroute from postini's web interface to 74.xxx.xxx.149 and it gets there successfully so obviously the ASA is letting ICMP packets in.

The funny thing is If i send an email OUT from inside to my gmail I get it just fine, but when I try to reply back IN I never get the email, but I never get a bounceback in my gmail box of ANY  KIND.

What am I doing wrong here?
0
Comment
Question by:gedruspax
  • 9
  • 5
  • 4
18 Comments
 
LVL 5

Expert Comment

by:andrewis
Comment Utility
look like you missing the static NAT

try adding

conf t
static (inside,outside) tcp 74.xxx.xxx.149 25  150.50.1.37 25 netmask 255.255.255.255
clear xlate

0
 
LVL 33

Expert Comment

by:MikeKane
Comment Utility
IIRC, Postini needs a connection into the mail server to forward in the mail.  

What I do not see in your post is a static translation or a port forward command sending information INTO your email server's IP address.   Right now, POSTINI is configured to use your ASA's ip, and there is no email server answering there....  

Without looking at the entire firewall config, it looks like you are only missing the STATIC command.  

If you have a block of IP's available, then you can do a 1 to 1 static map
STATIC (inside,outside)  <outside ip> <inside ip> netmask <inside ip mask>

If you have only the 1 IP on the interface available, then you need to forward the port to the internal box using:
STATIC (inside,outside) tcp 74.xxx.xxx.149 <port #> <inside ip> <port #> netmask <inside mask>
 
You can add as many port forwards as you need (I forget exactly what postini needs).  


The Access-lists would allow inbound SMTP on the outside ip address you assign to the static.  

Hope that helps, post back if you need clarification.
0
 

Author Comment

by:gedruspax
Comment Utility
Alright I added the Static Nat, but the Postini Web interface still says that it can't even connect to 74.xxx.xxx.149.

Enclosed Is a picture of the graph from the Postini web interface, you'll notice what happens to the connection as soon as i switch it from .130 to .149.
Graph.jpg
0
 
LVL 5

Expert Comment

by:andrewis
Comment Utility
odd - it should have worked.. did you "clear xlate" ?

You could set up a capture too make sure you can see the packets arriving at the firewall outside interface

example

access-list capture permit tcp 64.18.0.0 255.255.240.0 host 74.xxx.xxx.149 eq smtp
capture SMTP access-list capture interface outside

sh capture SMTP


0
 

Author Comment

by:gedruspax
Comment Utility
As soon as i change the default gateway in 150.50.1.1 back to 0.0.0.0 0.0.0.0 150.50.1.89 and change the postini delivery address back to 74.xxx.xxx.130 (yeah i know you can see the IP's on the graph i'm dumb) everything starts working properly again.

I have to be missing something here but i'm not sure what it is.

Would it help for me to post my ASA config?
0
 
LVL 5

Expert Comment

by:andrewis
Comment Utility
Yeah post it -  it should help.


0
 
LVL 33

Expert Comment

by:MikeKane
Comment Utility
What STATIC command did you opt for?  The port forward on .149 or the Static 1 to 1 on some other address?  

In either case, to test, you should be able to telnet to port 25 on the ip you opted for from a host on the outside.      If you get a response, then the firewall is configured correctly and we can double check the postini requirements.      Also, for testing, you should consider disabling the FIXUP SMTP.  

0
 

Author Comment

by:gedruspax
Comment Utility
Ok here are the results when i run a packet trace on the
access-list [outside interface name]_access in extended permit tcp 64.18.0.0 255.255.240.0 host 74.xxx.xxx.149 eq smtp rule in the ASDM software

Interface Outside
Source IP 64.18.0.1
Source Port 1065
Dest IP 74.253.1.49
Dest Port 25

Type - NAT
Subtype - rpf-check
Action - DROP
 
Config
nat (Inside_INF) 0 access-list Inside_INF_nat0_outbound
nat (Inside_INF) 20 150.50.1.0 255.255.255.0
match ip Inside_INF 150.50.1.0 255.255.255.0 DMZ any
dynamic translation to pool 20 (74.253.1.149 [Interface PAT])
translate_hits = 42537, untranslate_hits = 1972

Result - Packet is dropped

Input Int - Outside - up up
output int - inside - up up

info - (acl-drop) flow is denied by configured rule.
0
 
LVL 33

Expert Comment

by:MikeKane
Comment Utility
Your destination IP in the test was
Dest IP 74.253.1.49
Dest Port 25


In the examples you have 74.xxx.xxx.149.    


It doesn't match up.  

0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:gedruspax
Comment Utility
Ok I am attaching the ASA config.

Few things to keep in mind and what i've tried so far.

We have several sites connected with frame relay.

150.50.1.0 network
150.50.2.0 network
150.50.3.0 network
150.50.4.0 network
150.50.5.0 network
150.50.10.0 network
150.50.11.0 network
and 150.50.12.0 network

Now If i REMOVE the dynamic NAT entry on the inside interface the packet trace from my previous post works like a charm!  But the kicker is i lose internet access at ALL my remote sites besides the main admin complex (150.50.1.0 network)  If i put the dynamic rule back in i get my internet access back at all remote sites but then the packet trace for postini fails.
ASA.txt
0
 

Author Comment

by:gedruspax
Comment Utility
Mike Kane - I saw that and fixed it and reran the packet trace and still got the same results, that was a typo on my part when i was entering the config info but it didn't fix the problem.
0
 

Author Comment

by:gedruspax
Comment Utility
There is something about the dynamic nat rule that i have on the inside interface that is causing the packet drops.  I just can't figure out why.
0
 
LVL 33

Expert Comment

by:MikeKane
Comment Utility
I do not see any STATICs to send traffic inside the network.  

To have traffic move from a lower security interface (the DMZ) to the higher security interface (the Inside) you need a STATIC map.    

You will need to add:
STATIC (inside,outside) tcp interface 25 150.50.1.33 25 netmask 255.255.255.255    

then you need to allow the traffic with an access list, you already have this:
access-list DMZ_access_in extended permit tcp interface DMZ eq smtp host 150.50.1.33 eq smtp

Then test it.   You should have port 25 open to the outside world on your interface IP redirected into the mail server now.
0
 

Author Comment

by:gedruspax
Comment Utility
Now i get this on packet trace from 64.18.0.1 ----> 150.50.1.149

Type -
NAT
Subtype -
rpf-check
Action -
DROP
Show rule in NAT Rules table.
Config
static (Inside_INF,DMZ) tcp interface smtp 150.50.1.149 smtp netmask 255.255.255.255
match tcp Inside_INF host 150.50.1.149 eq 25 DMZ any
static translation to 74.253.1.149/25
translate_hits = 0, untranslate_hits = 0

(acl-drop) flow is denied by configured rule
0
 

Author Comment

by:gedruspax
Comment Utility
and if i run a trace from 150.50.1.149 (inside asa int) to 150.50.1.37 (exchange)

i get

Type -
NAT
Action -
DROP
Show rule in NAT Rules table.
Config
nat (Inside_INF) 0 access-list Inside_INF_nat0_outbound
nat (Inside_INF) 20 0.0.0.0 0.0.0.0 dns
match ip Inside_INF any Inside_INF any
dynamic translation to pool 20 (No matching global)
translate_hits = 2, untranslate_hits = 0
0
 

Author Comment

by:gedruspax
Comment Utility
Alright at this point i have any any traffice allowed on inside and outside interfaces incoming and outgoing.  The thing is wide open, so this has got to be a nating issue.
0
 
LVL 5

Accepted Solution

by:
andrewis earned 250 total points
Comment Utility
static (Inside_INF,dmz) tcp interface 25 150.50.1.37 25 netmask 255.255.255.255
clear xlate

Any traffic hitting the DMZ interface (74.253.1.149) with a destination port of TCP 25 will be forwarded to your exchange server on the inside (150.50.1.37)


0
 
LVL 33

Expert Comment

by:MikeKane
Comment Utility
andrew is correct, I gave you a static goin inside to outside, habit I suppose.  Yours in in the DMZ.  
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now